|
| CNN WEB SITES: |
|
| TIME INC. SITES: |
| MORE SERVICES: |
| video on demand |
| video archive |
| audio on demand |
| news email services |
| free email accounts |
| desktop headlines |
| pointcast |
| pagenet |
| DISCUSSION: |
| message boards |
| chat |
| feedback |
| SITE GUIDES: |
| help |
| contents |
| search |
| FASTER ACCESS: |
| europe |
| japan |
| WEB SERVICES: |
From...
Experts warn of security hole in Microsoft Java machine
October 18, 1999
Web posted at: 1:06 p.m. EDT (1706 GMT)
by Sharon Machlis
(IDG) -- A German researcher has discovered what some experts call a "serious security flaw" in Microsoft Corp.'s Java Virtual Machine (JVM). The problem appears to affect recent versions of JVM for Windows, which is used in software such as Internet Explorer, Microsoft Outlook and the Eudora e-mail program.
Karsten Sohr at the University of Marburg reported finding the bug in JVM's bytecode verifier. The glitch allows a code sequence to be put together that improperly puts the values from one Java type into the values of another Java type. Bytecode is the name for compiled Java programs. The JVM verifier is supposed to catch such a transfer of values.
|
| ||
|---|---|---|
 |
IDG.net home page | |
| Computerworld's home page | ||
| Another IE 5 security flaw found | ||
| Identity theft | ||
| Microsoft: Bad security, or bad press? | ||
| Reviews & in-depth info at IDG.net | ||
| IDG.net's personal news page | ||
| Year 2000 World | ||
| Questions about computers? Let IDG.net's editors help you | ||
| Subscribe to IDG.net's free daily newsletter for IT leaders | ||
|
Search IDG.net in 12 languages | ||
| News Radio | ||
|
Computerworld Minute | |
|
|
Fusion audio primers | |
An attack applet can exploit the glitch and override JVMsecurity, doing things such as reading private data or modifying and deleting files on a victim's machine, Reliable Software Technologies Corp. (RST) in Dulles, Va., a software-assurance consulting firm, said yesterday.
Researchers at RST and Princeton University's Safe Internet Programming team have verified Sohr's findings, according to a statement issued by RST.
"Attack applets are the worst category of Java-borne attacks since they carry out system modification,"said Gary McGraw, vice president of corporate technology at RST and author of the book Securing Java. Microsoft has been notified of the problem.
"Microsoft is working on making a fix available as soon as possible," a company spokesman said today. The security hole is difficult to discover and exploit, and Microsoft is not aware of any users being affected by the problem, the spokesman added. Still, the company takes such security matters seriously, she said. Information on a fix should be available on Microsoft's Java Web site.
RELATED STORIES:
New benchmark results show Java ready for prime time on servers
July 17, 1998
IBM woos developers with new site
October 12, 1999
Building a Java team
October 5, 1999
Start-up brings the Web to factory floors
September 22, 1999
RELATED IDG.net STORIES:
Another IE 5 security flaw found
(IDG.net)
Microsoft posts IE5 bug fix
(PC World)
Russia suspected as origin of network intrusions
(IDG.net)
Identity theft
(Civic.com)
Federal security needs corporate buy-in
(Computerworld)
White House seeks $39 million more for IT security
(FCW)
Microsoft: Bad security, or bad press?
(IDG.net)
Appliances target security
(Computerworld)
Note: Pages will open in a new browser windowExternal sites are not endorsed by CNN Interactive.
RELATED SITES:
Microsoft's Java Web site
Reliable Software Technologies
Princeton University's Safe Internet Programming
Note: Pages will open in a new browser windowExternal sites are not endorsed by CNN Interactive.
| LATEST HEADLINES: |